|
|
|
PLEASE HELP ME OUT!!!!!!!!!!!!! HJt log included
|
|
|
Jurgennop
Member
|
19. July 2006 @ 06:48 |
Link to this message
|
Hi,
i just updated my spyware doctor and i think there's sth wrong with my pc now,can anyone please check my log for cleaning,very urgent. Thx a million.
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wuauclt.exe
D:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hln.be/hlns/cache/homehome.html?10
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Telenet Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - Global Startup: D-Link AirPlus G+ Wireless Adapter Utility.lnk = C:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - AppInit_DLLs: interceptor.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
|
|
Advertisement
|
 |
|
|
|
Jurgennop
Member
|
20. July 2006 @ 09:37 |
Link to this message
|
|
anyone please?
|
Senior Member
|
20. July 2006 @ 10:12 |
Link to this message
|
|
log is clean :)
|
|
Jurgennop
Member
|
20. July 2006 @ 23:55 |
Link to this message
|
|
how come anytime i boot my pc there's this thing that comes up saying there was an error in explorer.exe and if i want to send to microsoft or not?i can't even click it cuz the screen freezes, then when i reboot,it's gone and i can work normal again,this is always the first time i boot after the pc has been shut down for a while...
|
|
Jurgennop
Member
|
21. July 2006 @ 07:35 |
Link to this message
|
someone please help me out!! Every time i boot my pc it crashed on the desktop,meaning,the error from explorer.EXE comes up saying if i want to send opr not send the report to microsoft,everybody knows which screen i'm talking about,except,i can't click anything on my desktop... but i can move the mouse around... this started happening after suddenly my Zone Alarm pro true vector thingy was shut down for no reason.... please what can i do about this??
Logfile of HijackThis v1.99.1
Scan saved at 17:32:18, on 21/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wuauclt.exe
D:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hln.be/hlns/cache/homehome.html?10
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Telenet Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - Global Startup: D-Link AirPlus G+ Wireless Adapter Utility.lnk = C:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - AppInit_DLLs: interceptor.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
|
Senior Member
|
21. July 2006 @ 10:12 |
Link to this message
|
There is occured problems with Zone Alarm. Try update it.
If problems dont go away remove it and download another firewall.
In my comp I have similar problem and after that I start to use Kerio, there isn't problems anymore in my comp.
|
|
Jurgennop
Member
|
21. July 2006 @ 11:56 |
Link to this message
|
|
|
Senior Member
|
21. July 2006 @ 12:02 |
Link to this message
|
|
However, that is exatly the version what consist problems.
Try to uninstall it.
Boot comp,
|
|
Jurgennop
Member
|
22. July 2006 @ 04:14 |
Link to this message
|
|
I don't understand,before i updated my spyware doctor,i didn't have this:
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
i only had one of the 2,i don't know which one,this is supposed to show only when there is a website open,right??
Well,there's no site open,so i guess something is wrong? does anyone know more?
|
Senior Member
|
22. July 2006 @ 05:44 |
Link to this message
|
Come down
Quote:
I don't understand,before i updated my spyware doctor,i didn't have this:
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
i only had one of the 2,i don't know which one,this is supposed to show only when there is a website open,right??
Well,there's no site open,so i guess something is wrong? does anyone know more?
C:\WINDOWS\Explorer.EXE <<<<--- belongs to operating system
C:\Program Files\Internet Explorer\iexplore.exe <<<<-- belongs to internet explorer.
Both are legimitive. If explorer.exe tries to go internet, it haven't to allow go there.
Download eScan to your desktop -> http://www.spywareinfo.dk/download/mwav.exe
Run the file mwav.exe and unzip it to its default location, C:\Kaspersky
1. Updating the scanner (close the eScan window if open)
-> Go to My Computer
-> C:\
-> Kaspersky
-> Run the file kavupd.exe, it starts downloading updates
-> When downloading is finished, go to C:\Downloads
-> Copy all the files in the Downloads folder by pressing CTRL+A and then CTRL+C
-> Then go back to the C:\Kaspersky folder and paste the files by pressing CTRL+V
-> Answer Yes to all when it asks about replacing files
-> Now the scanner has been updated
2. Scanner settings
-> Go to folder C:\Kaspersky and run the file mwavscan.com (or mwavscan.exe)
-> The scanner window opens
-> Select the same settings than in this picture -> http://koti.mbnet.fi/pattaya1/eScan6.jpg
-> When ready, press the Scan Clean button
-> Scanning for infections begins
3. Posting the results
-> When the scan has finished (scan may take a quite long time), you'll need to post the findings
-> Copy all the text in this field -> http://koti.mbnet.fi/pattaya1/eScan10.jpg
-> Click the field, press CTRL+A, CTRL+C
-> Then open Notepad and paste the findings into a new document by pressing CTRL+V
-> Save the document to your desktop
-> Post the contents of that textfile to here
|
|
Jurgennop
Member
|
22. July 2006 @ 06:39 |
Link to this message
|
|
i am calm,i'll try this asap,thx.
|
|
Jurgennop
Member
|
22. July 2006 @ 07:16 |
Link to this message
|
|
ok,i have 2 pc's at home,so i did what you said first on my other pc,to see if i had some infection there as well, and this was the result.
File C:\WINDOWS\smhost.exe tagged as not-a-virus:RemoteAdmin.Win32.Poison Ivy.20. No Action Taken.
what is wrong with this pc and what can be done please?
|
Senior Member
|
22. July 2006 @ 08:30 |
Link to this message
|
|
Boot to safe mode and delete it
|
|
Jurgennop
Member
|
23. July 2006 @ 03:11 |
Link to this message
|
|
ok,how do i do that? with what program or how? I appreciate your help tapiiri
And this is the log from the original pc,the one i started this thread about,apparently,my pc wasn't clean afetr all,right?
File C:\Documents and Settings\J.NOPPE\Application Data\SecuROM\UserData\???????????p???????? infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\J.NOPPE\Application Data\SecuROM\UserData\???????????p??????????? infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File C:\WINDOWS\system32\drivers\etc\hosts.20050411-134556.backup infected by "Trojan.Win32.Qhost.ha" Virus. Action Taken: File Deleted.
Can you please also explain what this is,and what has to be done?Thx a million.
This message has been edited since posting. Last time this message was edited on 23. July 2006 @ 04:02
|
Senior Member
|
23. July 2006 @ 04:48 |
Link to this message
|
Quote:
ok,how do i do that? with what program or how? I appreciate your help tapiiri
Tap F8 as your comp boot's and select safe mode from the menu.
Run eScan.
Quote:
And this is the log from the original pc,the one i started this thread about,apparently,my pc wasn't clean afetr all,right?
According to eScan's finding's, no, but the HjT log was clean.
Have you still got your OS cd? (your window's XP disk)
If you have, theres something you can try if you still get those explorer errors though ZA is uninstalled.
|
|
Jurgennop
Member
|
23. July 2006 @ 05:51 |
Link to this message
|
i've deleted the smhost file,so that's ok,
but i don't have my xp disk and i don't wanna uninstall Zone Alarm,but what i really wanna know is,what are these?
File C:\Documents and Settings\J.NOPPE\Application Data\SecuROM\UserData\???????????p???????? infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\J.NOPPE\Application Data\SecuROM\UserData\???????????p??????????? infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File C:\WINDOWS\system32\drivers\etc\hosts.20050411-134556.backup infected by "Trojan.Win32.Qhost.ha" Virus. Action Taken: File Deleted.
and am i clean now or do i have to do something about these?
|
|
Jurgennop
Member
|
23. July 2006 @ 07:44 |
Link to this message
|
|
File C:\Documents and Settings\J.NOPPE\Application Data\SecuROM\UserData\???????????p???????? infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\J.NOPPE\Application Data\SecuROM\UserData\???????????p??????????? infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File C:\WINDOWS\system32\drivers\etc\hosts.20050411-134556.backup infected by "Trojan.Win32.Qhost.ha" Virus. Action Taken: File Deleted.
what can i do about these? i can't find what it renamed the files too,please help me out,when i scan again,these entries are back.
|
|
Jurgennop
Member
|
23. July 2006 @ 08:34 |
Link to this message
|
also when running a new escan,suddenly AVG came up with this? What is this again now?? Please help me out...
|
|
Jurgennop
Member
|
23. July 2006 @ 10:43 |
Link to this message
|
|
please help me out
|
|
Jurgennop
Member
|
23. July 2006 @ 10:43 |
Link to this message
|
|
can anyone please help me out???
This message has been edited since posting. Last time this message was edited on 24. July 2006 @ 03:04
|
|
Jurgennop
Member
|
24. July 2006 @ 03:05 |
Link to this message
|
|
please,i need help with this...
|
Senior Member
|
24. July 2006 @ 06:18 |
Link to this message
|
|
|
Jurgennop
Member
|
24. July 2006 @ 06:22 |
Link to this message
|
i am calm
and the problem is not solved,can you please explain what the AVG viruslog mentions in the picture,what is it?
And how can i delete these entries??
File C:\Documents and Settings\J.NOPPE\Application Data\SecuROM\UserData\???????????p???????? infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\J.NOPPE\Application Data\SecuROM\UserData\???????????p??????????? infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
|
Senior Member
|
24. July 2006 @ 07:52 |
Link to this message
|
AVG resident shield find those twoo, because escan open they during scan.
You had earlier one or more lurks and They stay in your comp untill you shutdown comp. Thats why they are in system restore.
Here is more info for system restore :
http://support.f-secure.com/enu/home/virusproblem/howtoclean/clea...
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore...
Quote:
File C:\Documents and Settings\J.NOPPE\Application Data\SecuROM\UserData\???????????p???????? infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\J.NOPPE\Application Data\SecuROM\UserData\???????????p??????????? infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
As you see Escan renamed then, so they are harmless.
You can delete those manually, follow those path by windows explorer.
|
|
Advertisement
|
|
|
|
Jurgennop
Member
|
24. July 2006 @ 10:31 |
Link to this message
|
|
I followed the path but i can't find them
File C:\Documents and Settings\J.NOPPE\Application Data\SecuROM\UserData\???????????p???????? infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\J.NOPPE\Application Data\SecuROM\UserData\???????????p??????????? infected by "BkCln.Unknown" Virus. Action Taken: File Renamed
They were even in the hidden folder application data
so how can i know what escan renamed them too??
also which order do i use?
first disable system restore,then scan and clean an dthen re-enable system restore?
This message has been edited since posting. Last time this message was edited on 24. July 2006 @ 10:34
|
|
